Understand app privacy & security practices with Google Play's Data safety section

Developers do not need to disclose data accessed by an app as "collected" in the Data safety section if:

• An app accesses the data only on your device and it is not sent off your device. For example, if you provide an app permission to access your location, but it only uses that data to provide app functionality on your device and does not send it to its server, it does not need to disclose that data as collected.
• Your data is sent off the device but only processed ephemerally. This means the developer accesses and uses your data only when it is stored in memory, and retains the data for no longer than necessary to service a specific request. For example, if a weather app sends your location off your device to get the current weather at your location, but the app only uses your location data in memory and does not store the data for longer than necessary to provide the weather.
• Your data is sent using end-to-end encryption. This means the data is unreadable by anyone other than the sender and recipient. For example, if you send a message to a friend using a messaging app with end-to-end encryption, only you and your friend can read the message.

Sometimes apps may redirect you to a different service to complete a certain action. For example, an app may direct you to a payment service such as PayPal, Google Pay, or another similar service, to complete a purchase. In these cases, the app developer does not need to declare the data collected by the other service if:

• The app does not access this information, and
• You provide this information directly to the other service under that service’s privacy policy and terms of service.

In some cases, app developers do not need to declare data that is transferred to others as "shared" in the Data safety section. This includes when:

• The data is transferred to a third party based on a specific action that you initiate, where you reasonably expect the data to be shared. For example, when you send an email to or share a document with another person.
• The data transfer to a third party is prominently disclosed in the app, and the app requests your consent in a way that meets the requirements of Google Play’s User Data policy.
• The data is transferred to a service provider to process it on the developer’s behalf. For example, a developer may use a service provider to host data on their behalf and in compliance with the developer's instructions, contractual terms, privacy policies, and security standards.
• The data is transferred for specific legal purposes, such as in response to a government request.
• The data transferred is fully anonymized so it can no longer be associated with any individual.

Developers can describe certain security practices they use. This includes if their app:

• Encrypts data that it collects or shares while it’s in transit.
  • Some apps are designed to let you transfer your data to another site or service. These apps may declare in their Data safety section that your data is transferred over a secure connection as long as they use best industry standards to safely encrypt your data while it travels between your device and the app’s servers. The sites or services that you choose to have your data transferred to may have different privacy and security practices. Review those practices independently to ensure that you are transferring your data to secure destinations. For example, a messaging app that declares that it encrypts your data in transit may give you an option to send an SMS message through your mobile services provider. You should review the data handling practices of your mobile services provider, as it may not be using encryption in transit to securely send SMS messages over its mobile network.
• Has been independently reviewed against a global security standard. This independent review validates the app’s security practices against a global standard. The third-party organizations performing the review are doing so on the developers' behalf. This review does not verify the accuracy and completeness of the developer’s Data safety section disclosure.
• Offers payments through Unified Payments Interface (UPI). UPI is an instant money transfer system. It was developed by the National Payments Corporation of India (NPCI), an RBI-regulated entity. Developers indicate that NPCI has verified and validated this app's implementation of UPI. This security practice is only available for app use in India.

The Data deletion section lets developers describe what ways they provide for you to remove your data in the app.

Some apps may offer you the ability to create an account. Apps that offer account creation must:

• Provide users with an in-app path to delete their app accounts and associated data.
• Provide a web link resource where users can request app account deletion and associated data deletion.

Some apps that offer account creation may also offer you the option to delete certain app data without deleting your entire account.

Other apps don’t offer account creation, but may provide a way for you to delete your associated data. To learn how to request the deletion of your data and how the developer responds to and handles data deletion requests:

• Review the app's privacy policy.
• Contact the developer.

Learn more about the disclosures for account management data and system services.

Account management

Some apps let you create an account or add info to an account that the developer uses across its services. A developer might use the account data collected through the app for additional purposes across its services that are not specific to the app, such as fraud prevention or advertising. Developers may disclose this collection and use of account data across their services as "Account management." Developers must still declare all purposes for which the app itself uses the data. Review the app’s information, such as their privacy policy, to understand how a developer uses your account data across their services.

System services

System services are pre-installed software on some devices and cannot be uninstalled. They support device-specific features or functions. Developers of qualifying system services are not required to complete a Data safety section. You can review the developer’s site and privacy policy to learn more about their data safety practices.

The app permissions list shows what specific data or features that an app can access or to which it might request access. This list includes:

• Data or features required for the app to work, like mobile network access
• Data the app requests while you use it, like access to your camera

This list is based on technical information that describes how the developer’s app works. It’s different from the Data safety section, which is based on information declared by app developers about how they collect, share, and handle your data.

Sometimes, the information in the app permissions list may be different from what's in the Data safety section. Some of the possible reasons for this include:

• The app accesses data to process it on the device, but doesn’t collect or share it.
• The app collects data in a way that’s not managed by permissions.
• The service or data type in the permissions list isn’t covered in the Data safety section.